How to handle the risk of insider threats post-COVID-19
During these challenging times, organizations can't overlook the risk of insider threats as employees worry about layoffs, newly adopted remote working technology and more.
For many organizations, the COVID-19 pandemic has, like an earthquake, shifted the ground beneath them. The current crisis presents organizations with an entirely new and unfamiliar set of risks to manage. As those organizations balance protecting their workforce with keeping business running, they also cannot lose sight of protecting against familiar risks as well. Specifically, the pandemic may increase the risk that negligent or malicious insiders may pose to critical assets and data.
Given this "new normal," there is value in refining current approaches to better protect critical assets even as the situation constantly changes.
Fundamental risks of insider threats
People are an organization's most important asset, but they are also human. We all have emotions, stresses and make mistakes. An insider threat occurs when those human factors cause an employee, contractor or vendor to either intentionally or unintentionally compromise valuable information, material, people or facilities.
While motives can vary from case to case, insider threats typically follow a discernible pattern of behavior that moves along a continuum of idea to action. As a result, behavioral factors can move a person past the idea phase, with technical or organizational factors potentially causing the person to actually conduct an insider attack.
New risks of a new world
Unusual times can provoke unusual responses in people. So far, organizations and workers have borne the challenges, but as the COVID-19 crisis stretches into months, the resilience of new tools, new ways of working, and above all, of employees themselves will be tested. Resilience is built by attitudes, behaviors and the use of social support. It is an inner strength that is helps people rebound in the face of adversity and see past the problem. It is enhanced through optimism, remaining balanced, managing strong emotions, and sustaining a sense of safety and social support.
New behavioral risks
Prolonged stress may increase anxiety and impulsivity, impair judgment and lead people to become negative and distort their experiences. In times of crisis, individuals can begin to feel desperate, resulting in erratic behavior, potentially increasing risk of insider events. For example, an unprecedented rate of separations -- whether by layoff or furlough -- and a decrease in financial markets has left many in precarious financial situations. For those hurting financially, normally unthinkable acts such as fraud could begin to seem like a viable lifeline.
New technical risks
The onset of the COVID-19 virus has resulted in significant changes to the way work is conducted. With states directing entire communities of "non-essential" workers to stay home, many businesses have had to rapidly shift to a virtual work environment. The speed of the change gave some organizations limited time to prepare and adapt current controls. Additionally, some of the technical controls that organizations typically have in place may have to be eased to allow for virtual work.
New organizational risks
Every organization has its own risk tolerance, that is how it decides to balance security with the execution of business operations. Too much security can impede business, while too little can jeopardize critical assets.
The COVID-19 pandemic has caused many organizations to shift their risk tolerance almost overnight as they adapted to new ways in which work is conducted. However, it is critical that organizations do not let temporary measures become permanent defaults.
Ways to mitigate insider threats
Here are a few areas organizations can focus on to help reduce insider threats.
With many workers shifting to an unfamiliar virtual environment, new tools may be needed both to enable them to work (e.g., cloud-based access to files, new videoconferencing or collaboration tools), to verify users (e.g., multifactor authentication), and to protect sensitive data from loss (e.g., limitations on attaching files or downloading large volumes of data). Involving security professionals in decisions on even the rapid acquisition of new tools can help ensure that data is protected without impeding business in the new environment.
Polls show that the defining emotions of the moment are fear, uncertainty and anxiety. Clear and frequent communication can help allay those fears in both the workforce and customers. That can help workers feel more comfortable at work, making them less prone to mistakes or rash actions.
Finally, just because it is a global crisis does not mean that more familiar management decisions can take a break. In fact, in a rapidly shifting environment, those management decisions may need to become more frequent. Leaders should continuously reevaluate how the work environment is shifting as we move into the re-open phase of the crisis, adjusting the risk tolerance and controls of the organization accordingly.
Managing risk while staying resilient
The COVID-19 pandemic is a seismic shift. It is causing the ground to move beneath nearly every organization. In such difficult circumstances, the resilience of workers is shining through as organizations continue to operate as best they can. However, we are all human, and as the crisis drags on, uncertainty, new technologies and changing circumstances can introduce risk even to the best-prepared organizations. Timely steps to address those risks can help save significant disruption and loss of critical assets tomorrow, all while supporting the resilience of the workforce today.
About the author
Dr. Michael G. Gelles is the managing director of Deloitte Consulting LLP. He advises a wide variety of clients in the public and private sector. Dr. Gelles is a known insider threat specialist focused on cyber and physical security risks, asset loss, exploitation, terrorism workplace violence and sabotage. Dr. Gelles works to improve organizations' insider threat posture with a specific emphasis on people, mission and risk. Dr. Gelles has led the development of over 50 insider threat programs including Deloitte's own program that entails a number of proprietary innovative solutions. He is an author of two books as well as numerous articles and is a frequent guest speaker. His books include Threat Assessment a Risk Managed Approach and Insider Threat: Prevention, Detection, Mitigation and Deterrence. Before joining Deloitte, Dr. Gelles spent 20 years with the Navy and the Naval Criminal Investigative Service.